large-pcap-analyzer icon indicating copy to clipboard operation
large-pcap-analyzer copied to clipboard
verified publisher icon f18m

tcpdump like read pcap

Open championdot opened this issue 3 years ago • 3 comments

i have a 40G pcap file ,i want analyze DNS packet and then get some segement,how to use large-pacp-analyzer ?

tcpdump -r 2022-06-10-14-30-33-9639.pcap -tttt -nn -vvv >2022-06-10-30-33-9639-tmp

cat 2022-06-10-30-33-9639 |awk '{print $1,$2,$19,$20,$21,$22,$23,$24,$25,$26,$27,$28,$29,$30,$32,$33,$34}'

championdot avatar Aug 05 '22 06:08 championdot

Hi, Can you clarify which kind of analysis are you trying to make on the pap file? Are you searching for a string inside the pap? Consider large-pcap-analyzer has no explicit support for DNS protocol but just supports generic time/search methods

f18m avatar Aug 07 '22 06:08 f18m

We have performed tcpdump packet capture for the dns authoritative server. The daily file size is about 40G, such a large pcap file, we need to analyze this file, such as source address statistics, access type statistics, dns response domain name statistics, dns response ttl statistics Wait, this pcap is all DNS requests. The following is the process of executing the command tcpdump -i bond0 port 53 -w $Y-$m-$d.pcap & Will get a 40G pcap file Then analyze this file,eg tcpdump -r $Y-$m-$d.pcap -nn -tttt -vvv >$Y-$m-$d.txt And then filter the required fields by executing the shell command cat $Y-$m-$d.txt|awk '{print $1,$2,$19,$20,$21,$22,$23,$24,$25,$26,$27,$28,$29,$30,$32,$33,$34}' 2022-06-10 14:30:33.964413 54.86.37.24.64665 > 203.119.25.1.53: [udp sum ok] 39040+ NS? barrysilbertreports.org.cn. (44) 2022-06-10 14:30:33.964657 203.119.25.1.53 > 54.86.37.24.64665: [udp sum ok] 39040 NXDomain*- q: NS? barrysilbertreports.org.cn. 0/1/0 org.cn. [6h] SOA

When I searched for the large-pcap-analyzer project, I was surprised, the speed of reading pcap files shocked me, I confirmed that this is what I need, but need more functions of this project

championdot avatar Aug 07 '22 08:08 championdot

Hi @championdot , please consider that as I mentioned large-pcap-analyzer runs fast because it does only transport-layer analysis (up to TCP/UDP) and does not have code and logic to carry out protocol analysis (e.g. DNS decoding). For that you need a more sophisticated (and slower) tool like tshark from Wireshark project...

f18m avatar Sep 02 '22 16:09 f18m

Hi @championdot closing because this request is really too far from the large-pcap-analyzer design criterias...

f18m avatar Apr 03 '23 22:04 f18m